Tycoon2FA
Tycoon2FA is a phishing-as-a-service (PhaaS/PaaS) platform active since 2023 that uses adversary-in-the-middle (AiTM/AitM) techniques to bypass multi-factor authentication by capturing credentials and session cookies during live authentication sessions. It is described as a subscription-based toolkit sold through Telegram for about $120 and has been identified by Microsoft as the most active phishing platform of the year. The platform targets cloud accounts, especially Microsoft 365 and other cloud services, and has been used in large-scale credential harvesting and phishing campaigns. Observed Tycoon2FA tradecraft includes fake CAPTCHA pages, obfuscated JavaScript used to proxy victim credentials to legitimate Microsoft 365 login pages, theft of session cookies after CAPTCHA validation, and automated logins into victims’ Microsoft Entra ID accounts after capturing credentials and MFA tokens. Campaigns have also used anti-bot pages with obfuscated JavaScript, anti-debugger timing checks, browser fingerprinting, URL shorteners, links embedded in legitimate presentation platforms, compromised SharePoint environments, and trusted redirect chains. One reported campaign impersonated a law firm and used a newly spoofed domain to deliver a settlement-agreement signature lure. The content also states that Tycoon2FA now deploys device code flow phishing, indicating expansion beyond its established AiTM phishing capability. In these campaigns, it has targeted cloud environments and Microsoft 365 access through device code phishing lures. Microsoft and Europol disrupted Tycoon2FA in March 2026 in an international operation that seized 330 domains used for phishing pages and control infrastructure. The disruption contributed to a temporary decline in attacks, but reporting indicates the operators rapidly rebuilt infrastructure and resumed operations within days, with activity returning to near prior levels. Post-disruption reporting says the group shifted infrastructure away from earlier hosting patterns and increasingly used second-level domains and .RU domains. No sub-groups are identified in the provided content, and no aliases beyond Tycoon2FA are directly mentioned.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
22 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Established AiTM phishing platform targeting Microsoft 365 that has expanded to device code flow phishing, using anti-bot protections, obfuscated anti-analysis JavaScript, browser fingerprinting, and spoofed legal/document-signature lures.
Phishing-as-a-service group associated with credential phishing campaigns. After a joint disruption by Microsoft and Europol, the group’s activity dropped temporarily but it began rehosting infrastructure, with many domains shifting to .RU TLDs.
A phishing-as-a-service platform associated with high-volume credential phishing campaigns using CAPTCHA-gated phishing pages. Following disruption in early March 2026, it partially recovered and shifted infrastructure away from Cloudflare-hosted services to new top-level domains, with many domains moving to .ru.
Operators behind the Tycoon2FA phishing-as-a-service platform resumed large-scale cloud account phishing after a law enforcement takedown, using adversary-in-the-middle phishing to bypass MFA and compromise Microsoft 365 and other cloud accounts.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.